25.2.7 Troubleshooting Access-Denial Messages

The decisions that SELinux has made about allowing denying access are stored in the
Access Vector Cache (AVC). If the auditing service (auditd) is not
running, SELinux logs AVC denial messages to /var/log/messages.
Otherwise, the messages are logged to /var/log/audit/audit.log. If the
setroubleshootd daemon is running, easier-to-read versions of the
denial messages are also written to /var/log/messages.

If you have installed the setroubleshoot and
setroubleshoot-server packages, the auditd and
setroubleshoot services are running, and you are using the X Window
System, you can use the sealert -b command to run the SELinux Alert
Browser, which displays information about SELinux AVC denials. To view the details of the
alert, click Show. To view a recommended solution, click
Troubleshoot.

If you do not use the SELinux Alert Browser, you can search in
/var/log/audit/audit.log for messages containing the string
denied, and in /var/log/messages for messages
containing the string SELinux is preventing. For example:

A Boolean that configures a security policy for a service is set incorrectly.

A solution might be to change the value of a Boolean. For example, allow users' home
directories to be browsable by turning on
httpd_enable_homedirs:

# setsebool -P httpd_enable_homedirs on

A service attempts to access a port to which a security policy does not allow
access.

If the service's use of the port is valid, a solution is to use
semanage to add the port to the policy configuration. For example,
allow the Apache HTTP server to listen on port 8000:

# semanage port -a -t http_port_t -p tcp 8000

An update to a package causes an application to behave in a way that breaks an
existing security policy.

You can use the audit2allow -w -a command to view the reason why
an access denial occurred.

If you then run the audit2allow -a -M
module command, it creates a type enforcement
(.te) file and a policy package (.pp) file. You
can use the policy package file with the semodule -i
module.pp command to stop the error from
reoccurring. This procedure is usually intended to allow package updates to function
until an amended policy is available. If used incorrectly, it can create potential
security holes on your system.